Archives de catégorie : VPN

VPN SRX

Configuration VPN nomade SRX

Création d’un compte VPN nomade :

set security dynamic-vpn clients all user uglyshadow
set access profile dyn-vpn-access-profile client erilag firewall-user password ThiSiSPWD

Configuration complète d’un SRX avec un VPN nomade, l’interface WAN fe-0/0/0.0, le sous-réseau du VPN 10.152.0.0/16 :

 
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

set system services web-management https system-generated-certificate
set security ike policy ike-policy-NOMAD mode aggressive
set security ike policy ike-policy-NOMAD proposal-set standard
set security ike policy ike-policy-NOMAD pre-shared-key ascii-text aopIkn769hgtio9IhgnZuo81hg

set security ike gateway ike-gate-NOMAD ike-policy ike-policy-NOMAD
set security ike gateway ike-gate-NOMAD dynamic hostname dynvpn
set security ike gateway ike-gate-NOMAD dynamic connections-limit 5
set security ike gateway ike-gate-NOMAD dynamic ike-user-type group-ike-id
set security ike gateway ike-gate-NOMAD external-interface fe-0/0/0.0
set security ike gateway ike-gate-NOMAD xauth access-profile access-profile-NOMAD

set security ipsec policy ipsec-policy-NOMAD proposal-set standard
set security ipsec vpn ipsec-vpn-NOMAD ike gateway ike-gate-NOMAD
set security ipsec vpn ipsec-vpn-NOMAD ike ipsec-policy ipsec-policy-NOMAD

set security policies from-zone untrust to-zone trust policy INCOMING-VPN-NOMAD match source-address any
set security policies from-zone untrust to-zone trust policy INCOMING-VPN-NOMAD match destination-address any
set security policies from-zone untrust to-zone trust policy INCOMING-VPN-NOMAD match application any
set security policies from-zone untrust to-zone trust policy INCOMING-VPN-NOMAD then permit tunnel ipsec-vpn ipsec-vpn-NOMAD

set security dynamic-vpn access-profile access-profile-NOMAD
set security dynamic-vpn clients all remote-protected-resources 10.152.0.0/16
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn ipsec-vpn-NOMAD
set security dynamic-vpn clients all user vindhe

set access profile access-profile-NOMAD client vindhe firewall-user password Vindhe21
set access profile access-profile-NOMAD address-assignment pool address-pool-NOMAD

set access address-assignment pool address-pool-NOMAD family inet network 10.254.254.0/24
set access address-assignment pool address-pool-NOMAD family inet xauth-attributes primary-dns 85.31.192.22/32
set access address-assignment pool address-pool-NOMAD family inet xauth-attributes secondary-dns 85.31.193.22/32

set access firewall-authentication web-authentication default-profile access-profile-NOMAD

A insérer dans le filtre PROTECT-ROUTING-ENGINE avant la règle EVERYTHING-ELSE (discard) :

set firewall family inet filter PROTECT-ROUTING-ENGINE term ESP from protocol esp
set firewall family inet filter PROTECT-ROUTING-ENGINE term ESP then accept
set firewall family inet filter PROTECT-ROUTING-ENGINE term IKE from protocol udp
set firewall family inet filter PROTECT-ROUTING-ENGINE term IKE from destination-port 500
set firewall family inet filter PROTECT-ROUTING-ENGINE term IKE from destination-port 4500
set firewall family inet filter PROTECT-ROUTING-ENGINE term IKE then accept
set firewall family inet filter PROTECT-ROUTING-ENGINE term HTTPS from protocol tcp
set firewall family inet filter PROTECT-ROUTING-ENGINE term HTTPS from destination-port https
set firewall family inet filter PROTECT-ROUTING-ENGINE term HTTPS then accept

Debug VPN

Cisco ASA

show crypto ipsec sa peer @IP	-> phase 2
show crypto isakmp sa		-> phase 1
clear ipsec sa peer @IP		-> phase 2
clear isakmp sa @IP		-> phase 1

SRX junos

show security ike active-peer
show security dynamic-vpn users terse
show security ipsec security-associations 
show security ike security-associations  	

restart ipsec-key-management immediately
restart pki-service immediately
restart web-management
restart ipsec-key-management

Clean les tokens liés au compte VPN nomade :

- start shell
- rm -rf /var/db/dynamic-vpn-ipsec/tokens-info
- exit
restart web-management